Deploying EMS via Microsoft Intune (Endpoint Manager) EMM
Intune, or Endpoint Manager (endpoint.microsoft.com), is Microsoft's mobile device manager (MDM) and enterprise mobility management (EMM) solution. While several of its prominent features are Windows-specific, it also supports Android devices and is an Android Enterprise Recommended solution.
While the most seamless user experience for BlueFletch's EMS application suite is device enrollment through BlueFletch's EMM, customers already using Intune may prefer to deploy EMS to their devices through Intune. The steps below describe the most efficient way to utilize Intune for deploying EMS applications; Intune can install Playbook Agent, BlueFletch's enterprise installer app, from the Managed Google Play Store, and it will serve as the primary tool to install all other EMS apps.
- License/Subscription for Microsoft Intune (Endpoint Manager)
- BlueFletch EMS Portal Access (contact email@example.com for more information)
- Zebra Android Device (running Android 6.0+)
Getting Started with Intune
1. Intune environment with linked Managed Play Google Play
First, ensure that your Intune environment is ready for Android Enterprise device enrollment and Managed Play Store deployments. To enable these features, you must first link a Managed Google Play account to Intune. Within Intune, navigate from the Home blade to Devices > Enroll Devices > Android Enrollment. For more information, please follow the guide from Microsoft.
2. Devices enrolled with Android Enterprise
Now that the prerequisites for Android Enterprise are complete, create an Enrollment Profile for Android devices. In the same Android Enrollment section in Intune, create an enrollment profile for corporate-owned dedicated devices.
Note: Other enrollment profiles can also be used, but the dedicated device option prevents associating enrolled devices with Azure Active Directory accounts and is ideal for shared-user enterprise Android devices. Please refer to the Microsoft documentation for more information regarding enrollment profiles.
3. Playbook app shared with organization's Intune enterprise
In order to access the Playbook Agent from the Managed Play Store for approval, BlueFletch must first share the app to your organization. Please reach out to your BlueFletch account manager for this request. The ID that needs to be provided can be found by following this guide from Google.
4. Auto Grant Permissions, Allow Unknown App, Allow Access to All Google Play Store Apps
In Intune, navigate to Devices > Android > Configuration Profiles. Click the + Create Profile button.
Select "Android Enterprise" as the Platform and "Device Restrictions" as the Profile Type. Click Create.
Name the profile “Grant All App Permissions & Allow All Apps” and select Next.
Expand the General section and locate Default Permission Policy. Set the value to "Auto grant".
Scroll down and expand the Applications section. Locate Allow Installation from Unknown Sources and, directly below it, Allow access to all apps in Google Play store. Set the value for each to "Allow".
Click Next when those changes have been made.
Note: If your device admin has already designated a standard configuration policy, ensure these two settings have been included.
In the Assignments section, click Add groups and include the group(s) which contain the Zebra Android devices intended for Playbook deployment and click Next. For more information on creating groups and adding devices, please refer to this guide from Microsoft.
Review the profile and then click Create when ready to deploy. This will pave the way for Playbook to automatically run and not require any user prompt acceptance/input.
Preparing EMS Portal to Integrate with Intune EMM
1. Building Plays
Please refer to this guide for creating plays. Plays represent each single action in the process of Playbook Agent deploying the EMS suite onto a device, such as downloading a file, installing an application, or invoking an intent.
2. Building Playbooks
Please refer to this guide for creating playbooks. Playbooks represent groups of plays. The Playbook Agent application uses playbooks to keep a device compliant with changes applied by a device admin.
3. Building Deployment Groups
Please refer to this guide for creating deployment groups. A deployment group is used to assign a playbook to a group of devices. A deployment group could represent a region or a single store.
Approving Playbook App in Play Store
After your BlueFletch account manager has confirmed Playbook has been shared to your organization (see Step 3 from Getting Started with Intune), navigate in Intune to Apps > Android. Click the + Add button.
For App type, select "Managed Google Play app" and press Select.
When the Google Play Stores opens, search for “Playbook” and then turn on the "Private" filter.
Click the Playbook icon and then click Approve.
On the pop-up for Permissions, click Approve.
Click Done with the radio button set to “Keep approved when app requests new permissions”.
Finally, click Select and then click Sync to return to the Apps list. Refreshing Apps should display Playbook, but there often a delay; waiting 1-3 minutes may be required.
Assigning Playbook App
Once the Playbook app is approved for Intune, it must be assigned to a group so that it will show up on devices.
Navigate to Apps > Android and select Playbook from the list.
Select Properties and click the Edit button next to Assignments.
Under Required, click + Add group and select the group or groups that have the Zebra Android devices intended for Playbook deployment, the same group(s) selected in Step 4 of Getting Started with Intune.
Make sure Group mode is "Included".
Press Review + save to review changes and then Save to apply.
Creating App Configuration for Playbook
To link the Playbook app to your BlueFletch EMS organization and deployment group, you must create an app configuration policy in Intune. Go to Apps blade and select App configuration policies.
Click + Add and select "Managed devices".
Name the policy. Select "Android Enterprise" as the platform and "Fully Managed, Dedicated, and Corporate-Owned Work Profile Only" as the profile type. Select Playbook as the targetted app from the Associated app pane, and press OK and then Next to continue.
On Settings page, select "Use configuration designer" for the configuration settings format and click + Add.
Select both available fields, "Organization Id" and "Deployment Group Id," from the side pane.
Leave the value type as String, and edit the configuration values to match your company's EMS Organization Id and Deployment Group Id (found on the Portal at ems.bluefletch.com/admin/organizations and ems.bluefletch.com/playbook/deploymentGroups, respectively).
Press Next to continue to Assignments page, and click Add groups button from under Included groups.
Select the group(s) that contain all Zebra Android devices (again, same groups as in Step 4 of Getting Started with Intune).
Press Next to review and Create to save the policy.
Checking for Compliance
An admin can monitor the compliance of the device in Intune and in EMS Portal.
Intune monitors if a device conforms to its device compliance policies, has successfully installed all apps, and successfully applied device and app configuration profiles.
To view these statuses, navigate to Devices > Android > Android devices. On the device list, each device will have a Compliance column, which correlates to the state of its device compliance profile.
Click on a device for more details.
Under Monitor, the blades that track compliance are Device compliance, Device configuration, App configuration, and Managed Apps.
Device compliance displays the compliance policy or policies on that device and their state, which may be "Compliant", "Not Compliant", or "Not Evaluated".
Device configuration displays the configuration(s) that pertain to the device and whether the device successfully implemented them.
App configuration displays any configuration profiles that have been applied to the device, such as setting the Deployment Group ID and Organization ID for Playbook, as described above, and whether it was successfully applied to the device.
Managed Apps displays all the Managed Google Play Store apps available for the device to install and the current installation status of each.
EMS Portal monitors if a device has successfully run all the plays in its assigned playbook. An admin can view this in Playbook MDM, under the Devices subtab (read more details about the Devices page here).